public inbox for [email protected]help / color / mirror / Atom feed
Error in SSL config documentation? 4+ messages / 2 participants [nested] [flat]
* Error in SSL config documentation? @ 2011-05-07 16:40 Khusro Jaleel <[email protected]> 0 siblings, 1 reply; 4+ messages in thread From: Khusro Jaleel @ 2011-05-07 16:40 UTC (permalink / raw) To: pgsql-docs Hello, according to section 17.8.1 of the docs, I have added "clientcert" to a hostssl line in my pg_hba.conf file, but upon restart of the server, I'm getting the following error and the server fails to start up: LOG: invalid authentication method "clientcert" CONTEXT: line 82 of configuration file "/var/lib/pgsql/9.0/data/pg_hba.conf" FATAL: could not load pg_hba.conf Changing the "clientcert" to "cert" seems to work. So does this mean the documentation is incorrect? ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Error in SSL config documentation? @ 2011-05-07 17:46 Magnus Hagander <[email protected]> parent: Khusro Jaleel <[email protected]> 0 siblings, 1 reply; 4+ messages in thread From: Magnus Hagander @ 2011-05-07 17:46 UTC (permalink / raw) To: Khusro Jaleel <[email protected]>; +Cc: pgsql-docs On Sat, May 7, 2011 at 18:40, Khusro Jaleel <[email protected]> wrote: > Hello, according to section 17.8.1 of the docs, I have added "clientcert" to > a hostssl line in my pg_hba.conf file, but upon restart of the server, I'm > getting the following error and the server fails to start up: > > LOG: invalid authentication method "clientcert" > CONTEXT: line 82 of configuration file > "/var/lib/pgsql/9.0/data/pg_hba.conf" > FATAL: could not load pg_hba.conf > > Changing the "clientcert" to "cert" seems to work. So does this mean the > documentation is incorrect? These are two different things. as the docs say, "The clientcert option in pg_hba.conf is available for all authentication methods, but only for rows specified as hostssl.", and a bit further down "If you are setting up client certificates, you may wish to use the cert authentication method, so that the certificates control user authentication as well as providing connection security. " cert is the authentication method that uses client certificates to log in. clientcert=1 makes the server request a client certificate - but does not use it for authentication. So the client just has to present *any valid* client certificate, and can then use whatever other authenticaiton method is specified (md5, ldap, etc). -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Error in SSL config documentation? @ 2011-05-07 18:03 Khusro Jaleel <[email protected]> parent: Magnus Hagander <[email protected]> 0 siblings, 1 reply; 4+ messages in thread From: Khusro Jaleel @ 2011-05-07 18:03 UTC (permalink / raw) To: pgsql-docs On 07/05/11 18:46, Magnus Hagander wrote: > clientcert=1 makes the server request a client certificate - but does > not use it for authentication. So the client just has to present *any > valid* client certificate, and can then use whatever other > authenticaiton method is specified (md5, ldap, etc). Ah, I see now. When you wrote "clientcert=1" above, that made me realise that I was making a mistake. I was using "clientcert" in the authentication method column, and you can't use it there because it's an "option" to "any other auth method" and not a auth method on its own. I did read the doc and this was not clear to me at first, so perhaps it could be made clearer? Thanks for your help, Khusro ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Error in SSL config documentation? @ 2011-05-07 18:09 Magnus Hagander <[email protected]> parent: Khusro Jaleel <[email protected]> 0 siblings, 0 replies; 4+ messages in thread From: Magnus Hagander @ 2011-05-07 18:09 UTC (permalink / raw) To: Khusro Jaleel <[email protected]>; +Cc: pgsql-docs On Sat, May 7, 2011 at 20:03, Khusro Jaleel <[email protected]> wrote: > On 07/05/11 18:46, Magnus Hagander wrote: > >> clientcert=1 makes the server request a client certificate - but does >> not use it for authentication. So the client just has to present *any >> valid* client certificate, and can then use whatever other >> authenticaiton method is specified (md5, ldap, etc). > > Ah, I see now. When you wrote "clientcert=1" above, that made me realise > that I was making a mistake. I was using "clientcert" in the authentication > method column, and you can't use it there because it's an "option" to "any > other auth method" and not a auth method on its own. > > I did read the doc and this was not clear to me at first, so perhaps it > could be made clearer? Probalby, if you got confused. Do you have a suggestion for a better wording? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ ^ permalink raw reply [nested|flat] 4+ messages in thread
end of thread, other threads:[~2011-05-07 18:09 UTC | newest] Thread overview: 4+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2011-05-07 16:40 Error in SSL config documentation? Khusro Jaleel <[email protected]> 2011-05-07 17:46 ` Magnus Hagander <[email protected]> 2011-05-07 18:03 ` Khusro Jaleel <[email protected]> 2011-05-07 18:09 ` Magnus Hagander <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox